From 46b8536a2799791d7afdc2bc773de1ece1323c4f Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Fri, 13 Dec 2024 14:14:36 +0100 Subject: [PATCH] mbedtls: add TEST_CSPRNG_GENERATOR to the list of non-CS sources Strong entropy/random sources are a must to get secure crypto algorithms, but sometimes its useful to allow non-CS sources as well for sake of test purposes. MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG_ALLOW_NON_CSPRNG was designed exactly for this scope, but recently also TEST_CSPRNG_GENERATOR was added and it acts similarly: - MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG_ALLOW_NON_CSPRNG operates in "zephyr/modules/mbedtls/zephyr_entropy.c" allowing mbedtls_psa_external_get_random() to try both sys_csrand_get() first and then sys_rand_get() as fallback. - TEST_CSPRNG_GENERATOR instead operates in "zephyr/subsys/random/random_test_csprng.c" and it basically wraps the call to sys_csrand_get() with a call to sys_rand_get(). Albeit they operate at different level, the result is identical, so Mbed TLS should support both of them when MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG is set and there is no CSPRNG_ENABLED. Signed-off-by: Valerio Setti --- modules/mbedtls/CMakeLists.txt | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/mbedtls/CMakeLists.txt b/modules/mbedtls/CMakeLists.txt index e2bbe13f502..61c7400017d 100644 --- a/modules/mbedtls/CMakeLists.txt +++ b/modules/mbedtls/CMakeLists.txt @@ -12,7 +12,8 @@ zephyr_interface_library_named(mbedTLS) endif() if(CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) - if(CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG_ALLOW_NON_CSPRNG) + if(CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG_ALLOW_NON_CSPRNG OR + CONFIG_TEST_CSPRNG_GENERATOR) message(WARNING " Non cryptographycally secure sources are enabled for psa_generate_random(). This is meant to be used only for tests, not in production!")